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Abstract. In 1992 Wang & Larsen extended the may- and must preorders of De Nicola 
and Hennessy to processes featuring probabilistic as well as nondeterministic choice. They 
concluded with two problems that have remained open throughout the years, namely to 
find complete axiomatisations and alternative characterisations for these preorders. This 
paper solves both problems for finite processes with silent moves. It characterises the may 
preorder in terms of simulation, and the must preorder in terms of failure simulation. It 
also gives a characterisation of both preorders using a modal logic. Finally it axiomatises 
both preorders over a probabilistic version of finite CSP. 



A satisfactory semantic theory for processes which encompass both nondeterministic and 
probabilistic behaviour has been a long-standing research problem [131 EH L2H1 [2U1 [3H1 [3JJ1 
E3|23l32l|^IIl|2gEniIl|23l|2Sll3lllIlE|. In 1992 Wang & Larsen posed the problems 
of finding complete axiomatisations and alternative characterisations for a natural gener- 
alisation of the standard testing preorders [6] to such processes [H]. Here we solve both 
problems, at least for finite processes, by providing a detailed account of both may- and 
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must testing preorders for a finite version of the process calculus CSP extended with prob- 
abilistic choice. For each preorder we provide three independent characterisations, using 
(i) co-inductive simulation relations, (ii) a modal logic and (hi) sets of inequations. 

Testing processes: Our starting point is the finite process calculus pCSP [8] obtained by 
adding a probabilistic choice operator to finite CSP; like others who have done the same, 
we now have three choice operators, external P □ Q, internal P V~\ Q and the newly added 
probabilistic choice P P (B Q- So a semantic theory for pCSP will have to provide a coherent 
account of the precise relationships between these operators. 

As a first step, in Section [2] we provide an interpretation of pCSP as a probabilistic 
labelled transition system, in which, following [38, [20], state-to-state transitions like s s' 
from standard labelled transition systems are generalised to the form s -^-> A, where A 
is a distribution, a mapping assigning probabilities to states. With this interpretation we 
obtain in Section [3] a version of the testing preorders of [6] for pCSP processes, E pmay and 
Epmust- These are based on the ability of processes to pass tests; the tests we use are simply 
pCSP processes in which certain states are marked as success states. See [8] for a detailed 
discussion of the power of such tests. 

The object of this paper is to give alternative characterisations of these testing pre- 
orders. This problem was addressed previously by Segala in [37], but using testing preorders 
(Epmay an d Epmust) that differ in two ways from the ones in j6[ [151 ED E] an d the present 
paper. First of all, in [37] the success of a test is achieved by the actual execution of a 
predefined success action, rather than the reaching of a success state. We call this an ac- 
tion-based approach, as opposed to the state-based approach used in this paper. Secondly, 
[37j employs a countable number of success actions instead of a single one; we call this 
vector-based, as opposed to scalar, testing. Segala's results in [37] depend crucially on this 
form of testing. To achieve our current results, we need Segala's preorders as a stepping 
stone. We relate them to ours by considering intermediate preorders E pmay and E pmus t that 
arise from action-based but scalar testing, and use a recent result [10] saying that for finite 
processes the preorders E pmay and E pmust coincide with C pmay and E pmust . Here we show 
that on pCSP the preorders E pmay an d Epmust also coincide with E pma y and EpmustQ 

Simulation preorders: In Section H] we use the transitions s A to define two co- 
inductive preorders, the simulation preorder Qs [36, 29, 8j, and the novel failure simulation 
preorder IZps over pCSP processes. The latter extends the failure simulation preorder of [11] 
to probabilistic processes. Their definition uses a natural generalisation of the transitions, 
first (Kleisli-style) to take the form A — > A', and then to weak versions A A'. The 
second preorder differs from the first one in the use of a failure predicate s indicating 
that in the state s none of the actions in X can be performed. 

Both preorders are preserved by all the operators in pCSP, and are sound with respect to 
the testing preorders; that is P Q implies P E pma y Q and P ^fs Q implies P E pmus t Q- 
For this was established in [8], and here we use similar techniques in the proofs for ^fs- 
But completeness, that the testing preorders imply the respective simulation preorders, 
requires some ingenuity. We prove it indirectly, involving a characterisation of the testing 
and simulation preorders in terms of a modal logic. 



However in the presence of divergence they are slightly different. 
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Modal logic: Our modal logic, defined in Section [TJ uses finite conjunction f\ i€l (fi, the 
modality (a)<p from the Hennessy-Milner Logic [16], and a novel probabilistic construct 
©ie/Pi ' '■Pi- A satisfaction relation between processes and formulae then gives, in a natural 
manner, a logical preorder between processes: P Q c Q means that every /^-formula satisfied 
by P is also satisfied by Q. We establish that Q c coincides with Qs and E pm ay 

To capture failures, we add, for every set of actions X, a formula ref(X) to our logic, 
satisfied by any process which, after it can do no further internal actions, can perform 
none of the actions in X either. The constructs /\, (a) and ref() stem from the modal 
characterisation of the non-probabilistic failure simulation preorder, given in [11]. We show 
that Epmust) as well as Efs> can be characterised in a similar manner with this extended 
modal logic. 

Proof strategy: We prove these characterisation results through two cycles of inclusions: 



E £ c 


Es c 


Epmay 


VL T C 


Efs c 


Epmust 




Seed 


Sec.0 



~ [03 r 

C □ = Q~ n C \Z C 

— — pmay — pmay — — 

C V~ I - " C V J~ 

i= ^pmust — — pmust — — 

Sec.H SecM ^^ccM 

In Section [7| we show that P Q c Q implies P Qs Q (and hence P Epmay Q), and likewise 
for D^and Qfs] the proof involves constructing, for each pCSP process P, a characteristic 
formula <pp. To obtain the other direction, in Section [8] we show how every modal formula 
ip can be captured, in some sense, by a test T v ; essentially the ability of a pCSP process 
to satisfy ip is determined by its ability to pass the test T v . We capture the conjunction of 
two formulae by a probabilistic choice between the corresponding tests; in order to prevent 
the results from these tests getting mixed up, we employ the vector-based tests of [37], so 
that we can use different success actions in the separate probabilistic branches. Therefore, 
we complete our proof by demonstrating that the state-based testing preorders imply the 
action-based ones (Section [5]) and recalling the result from [10] that the action-based scalar 
testing preorders imply the vector-based ones (Section [6|). 

(In)equations: It is well-known that may- and must testing for standard CSP can be 
captured equationally [6j [21 [15]. In [8] we showed that most of the standard equations 
are no longer valid in the probabilistic setting of pCSP; we also provided a set of axioms 
which are complete with respect to (probabilistic) may-testing for the sub-language of pCSP 
without probabilistic choice. Here we extend this result, by showing, in Section [TUl that 
both P Epmay Q and P Epmust Q can still be captured equationally over full pCSP. In the 
may case the essential (in) equation required is 

a.(P p © Q) C a.P P © a.Q 

The must case is more involved: in the absence of the distributivity of the external and in- 
ternal choices over each other, to obtain completeness we require a complicated inequational 
schema. 
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2. Finite probabilistic CSP 

Let Act be a finite set of visible (or external) actions, ranged over by a, b, ■ ■ ■ , which processes 
can perform. Then the finite probabilistic CSP processes are given by the following two- 
sorted syntax: 

P ::= S | P P ®P 

S ::= | a.P \ PUP \ SUS \ S\ A S 

We write pCSP, ranged over by P, Q, for the set of process terms defined by this grammar, 
and sCSP, ranged over by s,t, for the subset comprising only the state-based process terms 
(the sub-sort S above). 

The process P P (B Q, for < p < 1, represents a probabilistic choice between P and 
Q: with probability p it will act like P and with probability 1—p it will act like Q. Any 
process is a probabilistic combination of state-based processes built by repeated application 
of the operator p ©. The state-based processes have a CSP-like syntax, involving the stopped 

process 0, action prefixing a for a £ Act, internal- and external choices n and □, and a 

parallel composition \a for A C Act. 

The process P n Q will first do a so-called internal action r^Act, choosing nondeter- 

ministically between P and Q. Therefore n, like a , acts as a guard, in the sense that it 

converts any process arguments into a state-based process. 

The process sDton the other hand does not perform actions itself, but merely allows 
its arguments to proceed, disabling one argument as soon as the other has done a visible 
action. In order for this process to start from a state rather than a probability distribution 
of states, we require its arguments to be state-based as well; the same applies to |a- 

Finally, the expression s \a t, where A C Act, represents processes s and t running in 
parallel. They may synchronise by performing the same action from A simultaneously; such 
a synchronisation results in r. In addition s and t may independently do any action from 
(ActV4) U {r}. 

Although formally the operators □ and \a can only be applied to state-based processes, 
informally we use expressions of the form P □ Q and P \a Q, where P and Q are not 
state-based, as syntactic sugar for expressions in the above syntax obtained by distributing 
□ and \a over p ©. Thus for example s □ (ti p © £2) abbreviates the term (s □ t\) p (B (s □ £2)- 

The full language of CSP \T7\ [34] has many more operators; we have simply chosen 
a representative selection, and have added probabilistic choice. Our parallel operator is not 
a CSP primitive, but it can easily be expressed in terms of them — in particular P \aQ = 
(P\\aQ)\A, where \\a and \A are the parallel composition and hiding operators of [34"] . 
It can also be expressed in terms of the parallel composition, renaming and restriction 
operators of CCS. We have chosen this (non-associative) operator for convenience in defining 
the application of tests to processes. 

As usual we may elide 0; the prefixing operator a binds stronger than any binary 

operator; and precedence between binary operators is indicated via brackets or spacing. We 
will also sometimes use indexed binary operators, such as (J) ie / Pi-Pi with J2ieiPi = 1 an d 
all pi > 0, and G ig/ Pi, for some finite index set /. 
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The above intuitions are formalised by an operational semantics^ associating with each 
process term a graph-like structure representing its possible reactions to users' requests: we 
use a generalisation of labelled transition systems [30] that includes probabilities. 

A (discrete) probability distribution over a set S is a function A : S — > [0, 1] with 
E se s A ( s ) = 1; the support of A is given by [A] = {seS | A(s) > 0}. We write V(S), 
ranged over by A, 0, for the set of all distributions over S with finite support; these finite 
distributions are sufficient for the results of this paper. We also write s to denote the point 
distribution assigning probability 1 to s and to all others, so that [s] = {s}. If p. L > 
and Aj is a distribution for each i in some finite index set /, and ^2 ieI Pi = 1, then the 
probability distribution Yliel Pi' E F>(S) is given by 

we will sometimes write it as p\ ■ Ai + . . . + p n ■ A n when the index set I is {1, ... , n}. 

For A a distribution over S and function / : S — > X into a vector space X we sometimes 
write Exp A (/) for Ylses ^( s )'/( s )' the expected value of /. Our primary use of this notation 
is with X being the vector space of reals or tuples of reals. More generally, for function 
F : S — > T + (X) with r S >+ {X) being the collection of non-empty subsets of X, we define 
Exp^F := { Exp A (/) | / € .F }; here / £ F means that / : S 1 — > X is a choice function for 
F, that is it satisfies the constraint that f(s) £ F(s) for all s € S. 

We now give the probabilistic generalisation of labelled transition systems (LTSs): 

Definition 2.1. A probabilistic labelled transition system (pLTSjl is a triple (S, L, — >), 
where 

(i) S is a set of states, 

(ii) L is a set of transition labels, 

(iii) relation — > is a subset of S x L x V(S). 

As with LTSs, we usually write s — ► A for (s, a, A) £ — s for 3A : s — > A and s — > 
for 3a : s An LTS may be viewed as a degenerate pLTS, one in which only point 

distributions are used. 

The operational semantics of pCSP is defined by a particular pLTS (sCSP, Act r , — >), con- 
structed by taking sCSP to be the set of states and Act T := Act U {r} the set of transition 
labels; we let a range over Act and a over Act r . We interpret pCSP processes P as distri- 
butions [P] G P(sCSP) via the function [_] : pCSP -> P(sCSP) defined below: 

[s] :- s for sesCSP 
[F P 0Q] :=P-[P] + (1-P)-IQ]. 

Note that for each P E pCSP the distribution [P] is finite, that is it has finite support. 
The definition of the relations -^-> is given in Figure [TJ These rules are very similar to 
the standard ones used to interpret CSP as an LTS [34J, but modified so that the result 
of an action is a distribution. The rules for external choice and parallel composition use 

2 Although the syntax of pCSP is similar to other probabilistic extensions of CSP 28 , 32 , 31 , our semantics 
differs. For more detailed comparisons, see Section [121 

Essentially the same model has appeared in the literature under different names such as NP-systems 
|2U] , probabilistic processes [22] . simple probabilistic automata probabilistic transition systems [25] etc. 
Furthermore, there are strong structural similarities with Markov Decision Processes [35 1 IIP] . 
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a.P [P] 

PnQ^{P] P n Q [Q] 

si A s 2 A 



si □ s 2 A si □ s 2 A 

si A s 2 A 



si □ s 2 A □ s 2 si □ s 2 si □ A 

si^A s 2 ^A a£A 



s\ \a S2 A U s 2 si U s 2 si |a A 

si A x , s 2 A 2 aeA 



si \a s 2 Ai |a A 2 

Figure 1: Operational semantics of pCSP 

an obvious notation for distributing an operator over a distribution; for example A □ s 
represents the distribution given by 



(A Ds)(t) 




if t = s' □ s 
otherwise. 



We sometimes write t.P for P n P, thus giving t.P -^-> [P]. 

We graphically depict the operational semantics of a pCSP expression P by drawing the 
part of the pLTS defined above that is reachable from \P\ as a finite acyclic directed graph, 
often unwound into a tree. States are represented by nodes of the form • and distributions 
by nodes of the form o. For any state s and distribution A with s A we draw an edge 
from s to A, labelled with a. For any distribution A and state s in [A], the support of A, 
we draw an edge from A to s, labelled with A(s). 

Example 2.2. Consider the two processes 

P := a.{{b.d □ c.e) i (b.f □ eg)) 
Q := a.((b.d □ c.g)l® (b.f □ c.e)). 

Their tree representations are depicted in Figure [2] (i) and (ii) . To make these trees more 
compact we omit nodes o when they represent trivial point distributions. 



3. Testing pCSP processes 

A test is a pCSP process except that it may have subterms uj.P for fresh u Act r , a special 
action reporting success; we write pCSP w for the set of all tests, and sCSP^ for the subset 
of state-based process terms that may involve the action uj, and the operational semantics 
above is extended by treating u like any other action from Act. To apply test T to process 
P we form the process T \^ ct P in which all visible actions of P must synchronise with T, 
and define a set of testing outcomes A(T, P) where each outcome, in [0,1], arises from a 
resolution of the nondeterministic choices in T | Act P and gives the probability that this 
resolution will reach a success state, one in which uo is possible. 
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(i) P (U) Q 

Figure 2: Example processes P, Q and test T 



(tit) T 



n[o,i]); 



V(s) := 



In the first case above s 



To this end, we inductively define a results- gathering function V : sCSP a 
it extends to type P(sCSP^) -> IP + ([0, 1]) via the convention V(A) := Exp A V. 

'{1} if S ^>, 
U{V(A)|s^A} if s ^4 but still s ->, 
{0} if S7 4 

signifies that s is a success state. In the second case we mean 
that u) is not possible from s — hence s is not a success state — but that at least one "non- 
success" action a £ Act r is — and possibly several — and then the union is over all such a. 
This is done so that V accounts for success actions in processes generally; when applied to 
test outcomes, however, the only non-success action is r. Note that V is well defined when 
applied to finite, loop-free processes, such as the ones of pCSP. 

Definition 3.1. For any pCSP process P and test T, define 

A(T,P) := Y{T\ Act Pj . 

With this definition, the general testing framework of [6] yields two testing preorders for 
pCSP, one based on may testing, written P C pma y Q, and the other on must testing, written 



P C 



pmust 



Q. 



Definition 3.2. The may- and must preorders are given by 



P C 



pmay 



Q iff for all tests T: A(T, P) < Ho A(T, Q) 



P Epmust Q iff for all tests T: A(T, P) < Sm A(T, Q) 
with <Ho> <Sm the Hoare, Smyth preorders on CP + [0, 1]. These are defined as follows: 

X < Ho Y iff Vx e X: 3y G Y: x < y 
X < Sm Y iff Vy € Y: 3x € X: x < y 

In other words, Q is a correct refinement of P in the probabilistic may-testing preorder 
if each outcome (in [0,1]) of applying a test to process P can be matched or increased 
by applying the same test to process Q. Likewise, Q is a correct refinement of P in the 
probabilistic must-testing preorder if each outcome of applying a test to Q matches or 
increases an outcome obtainable by applying the same test to P. 
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(i) T | Act P (ii) T | Act Q 

Figure 3: Testing P and Q with T. 

Example 3.3. Consider the test 

T := a.((b.d.u i ffi c.e.u) n c.g.ui)) 

which is graphically depicted in Figure [2] (iii) . If we apply T to processes P and Q given in 
Example 12,21 we form the two processes described in Figure El It is then easy to calculate 
the testing outcomes: 

A(T,P) = i. {i,o} + i- {1,0} 
= {0, \, 1} 

A(T,Q) = + !.{!} 

= 

We can see that P and Q can be distinguished by the test T since A(T, P) ^Ho A(T, Q) 
and A(T, Q) ^ S m A(T, P). In other words, we have P ^p ma y Q and Q ^pmust P because of 
the witness test T. 

In [8] we applied the testing framework described above to show that many standard laws of 
CSP are no longer valid in the probabilistic setting of pCSP, and to provide counterexamples 
for a few distributive laws involving probabilistic choice that may appear plausible at first 
sight. We also showed that P Epmust Q implies Q Epmay P for all pCSP processes P and 
Q, i.e. that must testing is more discriminating than may testing and that the preorders 
Epmay and Epmust are oriented in opposite directions. 

4. Simulation and failure simulation 

Let 1Z C S x T>(S) be a relation from states to distributions. As in [8], we lift it to a relation 
TZ C V(S)xV(S) by letting A1ZQ whenever there is a finite index set / and p £ T>(I) such 
that 

W A = HieiPi -»i » 

(ii) For each iEl there is a distribution $»j s.t. Sj TZ <&j , 
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For functions, the lifting operation can be understood as a Kleisli construction on a proba- 
bilistic power domain [18] . and was implicit in the work of Kozen [25j; in our more general 
setting of relations, it can equivalently be defined in terms of a distribution on TZ, some- 
times called weight function (see e.g. [214 136] ). An important point here is that in the 
decomposition (i) of Ai into YlieiPi the states Sj are not necessarily distinct: that is, 
the decomposition is not in general unique. For notational convenience, the lifted versions 
of the transition relations for a S Act T are again denoted - 2L +. 

We write s A if either s — ^» A or A = s; again Ai — ^ A 2 denotes the lifted 
relation. Thus for example we have [(a l~l b) 1 © (a n c)] [a 1© ((a n b) 1© c)] because 

(i) {(a n 6) 1© (a n c)] = i • [(a n &)] + | ■ [(a n 6)] + \ ■ [(a n c)\ + \ ■ {(a n c)] , 

(ii) [(an 6)] [a] 

[(an 6)] -A[anft] 

[(«nc)] -^[a] 
[(a n c)1 Id 



(iii) and [ax© ((a n b) iffi c)] = ± • [a] + ± • [(a n I 6)] + ± • [a] + | • [c] . 

We now define the weak transition relation ==> as the transitive and reflexive closure 
of — while for a/rwe let Ai A 2 denote Aj ^-^^ A 2 . Finally, we write 
s 44 with X C Act when Va € X U {r} : s and A -^4 when Vs G [A] : s -44. The 
main properties of the lifted weak transition relations which are used throughout the paper 
are given in the following lemma. 

Lemma 4.1. Suppose J2ieiPi = 1 an ^ ^« f or eac ^ i€l> with I a finite index set. 

Then \ ~* & sr^ 

iei i£l 

Conversely, if ^2 ie jPi ■ Aj =^> $ f/ien $ = Yli^iPi ' $i f or some <3?j such that Aj =^> <3?j 
/or eac/i i G I. 

Proof. The first claim occurs as Lemma 6.6 of [8]. The second follows by repeated applica- 
tion of Proposition 6.1 (ii) of |Ej, taking TZ to be — and for a € Act. O 

Definition 4.2. A relation TZ C sCSP x D(sCSP) is said to be a failure simulation if for all 
s, 0, a, A, X we have that 

• s TZ 9 A s A implies 36' : 9 =^ 9' A A ft 9' 

• s ft 9 A s -^4 implies 39': 9 =U 9' A 9' 4 4 - 

We write s <l re 9 to mean that there is some failure simulation TZ such that s TZ 0. 



Similarly, we define simulatioi\j and s < s 9 by dropping the second clause in Definition [421 

Definition 4.3. The simulation preorder and failure simulation preorder IZps on pCSP 
are defined as follows: 

PQsQ iff [Q] =U 9 for some 9 with [P] ~ s 9 
P Q FS Q iff [P] 9 for some 9 with {Qj <^ 9 . 

(Note the opposing directions.) The equivalences generated by Qs and Qfs are called 
(failure) simulation equivalence, denoted ~s and ~ ps, respectively. 



It is called forward simulation in [36] . 

We have reversed the orientation of the symbols > s and t> FS w.r.t. [8] and [9]; the pointy side now points 
to a single state, and the flat side to a distribution. 
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Example 4.4. Compare the processes P = a 1® b and P n P. Note that \P\ is the 
distribution |- a +|- 6 whereas [P n P] is the point distribution P PI P. The relation ft 
given by 

(PnP) ft (|-a+±-6) a ft a 6 ft 6 ft 

is a simulation, because the r-step P n P (±- a +\- b) can be matched by the idle 
transition (|- a b) =^> a b), and we have (|- a +j- £>) ft o +i' Thus 
(P n P) < s (|- a +i- 6) = [P], hence [P n P] <^ [P], and therefore PnPC s P. 

This type of reasoning does not apply to the other direction. Any simulation ft with 
(|- a +|- 6) ft PnP would have to satisfy a ft PnP and 6 ft PnP. However, the 
move a cannot be matched by the process PnP, as the only transition the latter 
process can do is P n P— ^A (|- a +g> 6), and only half of that distribution can match the 
a-move. Thus, no such simulation exists, and we find [P] "jfi^ [PnP]. Nevertheless, we 
still have P Qs PnP. Here, the transition from Definition 14,31 comes to the rescue. 
As [PnP]4 [P] and [P] <^ [P], we obtain PQ s PnP. 

Example 4.5. Let P = a 1 6 and Q = P □ P. We have PEsQ because [P] <^ [Q] 
which comes from the following observations: 

(1) [P] = l.q+i.b 

(2) [Q] = i • (i- a □ a +±- a □ 6) + § • (§• 6 □ a +±- 6 □ 6) 

(3) a <\ s (i- a □ a +5- a □ 6) 

(4) 6< 5 (i-6n^+i-6n&) 

This kind of reasoning does not apply to <i FS . For example, we have a ^ FS (|- a □ a 
+!* a □ 6) because the state on the left hand side can refuse to do action b while the 
distribution on the right hand side cannot. Indeed, it holds that Q %fs P- 

We have already shown in [8] that n s is a precongruence and that it implies C pmay . 
Similar results can be established for Qfs as well. Below we summarise these facts. 

Proposition 4.6. Suppose Q £ {Eg, Efs}- Then C is a preorder, and if Pi C Qj /or 
i = 1,2 then a. P 1 Q a.Qi for a £ Act and Pi Q P 2 C Q1QQ2 for £ {n, □, p ®, U}. 

Proof. The case C5 was proved in [8j Corollary 6.10 and Theorem 6.13]; the case is 
analogous. As an example, we show that Qfs is preserved under parallel composition. The 
key step is to show that the binary relation ft C sCSP x 2?(sCSP) defined by 

ft := {(si\ A s 2 , Ai\ A A 2 ) I si <\ FS Ai A s 2 <fs A 2 }. 

is a failure simulation. 

Suppose Si < FS Aj for i = 1,2 and si |a S2 for some X C Act. For each a £ X there 
are two possibilities: 

• \i a $l A then si -^A and s 2 -^A, since otherwise we would have si |^ s 2 

• If a £ A then either si -^A or s 2 -^A, since otherwise we would have si |^ s 2 — 

Hence we can partition the set X into three subsets: Xq, X% and X 2 such that Xq = X\A 
and Xi U X 2 C A with si —^4 and s 2 — ^4, but allowing s\ -^A for some a £ A 2 and 
s 2 -^A for some a £ _X"i. We then have that s, ^Q u ^y> f or j = 1, 2. By the assumption 
that Si < FS Ai for i = 1,2, there is a A[ with A; A- x ° uX y> . Therefore A'^A^ -^4 
as well. It is stated in P Lemma 6.12(i)] that if $ =?4> <3?' then $ \a A =^> <&' |a A and 
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A \a $ ==> A \a So we have Ai \a A2 A' x \a A' 2 . Hence Ai \a A2 can match up the 
failures of s\ \a «2- 

The matching up of transitions and the using of 1Z to prove the preservation property 
of Ere under parallel composition are similar to those in the corresponding proof for sim- 
ulations [H Theorem 6.13(v)], so we omit them. □ 

We recall the following result from [HJ Theorem 6.17]. 

Theorem 4.7. If P Q s Q then P C pmay Q. 

Proof. For any test T G pCSP^ and process P G pCSP the set V(T | Act P) is finite, so 

P Epmay Q iff max(Y({T | Act P})) < max(Y({T | Act Q})) for every test T. (4.1) 

The following properties for Ai, A2 G pCSP w and a G Act r are not hard to establish: 

Ai A 2 implies max(V(Ai)) > max(V(A 2 )). (4.2) 

Ai <ii: A 2 implies max(V(Ai)) < max(V(A 2 )). (4.3) 
In [21 Lemma 6.15 and Proposition 6.16] similar properties are proven using a function 
maxlive instead of maxoV. The same arguments apply here. 

Now suppose P Qs Q- Since Qs is preserved by the parallel operator we have that 
T |Act P Es T I Act Q for an arbitrary test T. By definition, this means that there is a 
distribution A such that [T | Act Q] =k> A and [P | Ac t P] <^ A. By (jI2J) and (g3j) we infer 
that max(V([P | Act P])) < max(V([T | Act Q])). The result now follows from (jlT]) . □ 

It is tempting to use the same idea to prove that Qfs implies C pmus t, but now using the 
function minoV. However, the roin-analogue of Property (|4.2p is in general invalid. For 
example, let R be the process a | Act (a □ u). We have mm(V(iJ)) = 1, yet P [ Act and 
mm(V(0 I Act 0)) = 0- Therefore, it is not the case that Ai ==> A 2 implies mm(V(Ai)) < 
mm(¥(A 2 )). 

Our strategy is therefore as follows. Write s A if both s -^A and s A hold. We 
define -^-+u as using — in place of - L +. Similarly we define => Lt) and ==^ w . Thus the 
subscript u on a transition of any kind indicates that no state is passed through in which 
u> is enabled. A version of failure simulation adapted to these transition relations is then 
defined as follows. 

Definition 4.8. Let <\ e FS C sCSP" x P(sCSP w ) be the largest relation such that s < e FS 6 
implies 

• if s A then there is some 0' with O 0' and A <\ e FS 0' 

• if s -^4 with uj G X then there is some 0' with ==> LJ 0' and 0' — >. 
Let P Q e FS Q iff [P] for some with [Q] 9. 

Note that for processes P, Q in pCSP (as opposed to pCSP w ), we have P Q iff P n. ps Q. 

Proposition 4.9. If P, Q are processes in pCSP with P Qfs Q an d T is a process in pCSP w 
then T | Act P \Z e FS T | Act Q. 

Proof. Similar to the proof of Proposition 14.61 □ 
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Proposition 4.10. The following properties hold for minoV, with Ai, A2 € 2?(sCSP w ): 

P Epmust Q iff mm(V([T | Act P])) < mm(V([T | Act Q])) for every test T. (4.4) 
Ai A 2 for a G Act T implies mm(V(Ai)) < mm(V(A 2 )). (4.5) 
Ai A 2 implies mm(V(Ai)) > min(V(A 2 )). (4.6) 

Proof. Property (|4.4j) is again straightforward, and Property (j4.5j) can be established just 
as in Lemma 6.15 in [8], but with all <-signs reversed. Property (|4.6p follows by structural 
induction, simultaneously with the property, for s G sCSP^ and A G P(sCSP w ), that 

s <f FS A implies miniy(s)) > mm(V(A)) . (4.7) 

The reduction of Property (|4.6p to (|4.7p proceeds exactly as in |5J Lemma 6.16(h)]. For 
(|4.7p itself we distinguish three cases: 

• If s then mtn(V(s)) = 1 > mm(V(A)) trivially. 

• If s -^4 but s — then we can closely follow the proof of [H Lemma 6.16(i)]: 
Whenever s 0, for a G Act r and G G 2?(sCSP w ), then s <f FS A implies the existence 



of some Ae such that A Ae and <\ e FS Aq. By induction, using (|4.6p . it follows 
that min(V(8)) > mm(V(Ae)). Consequently, we have that 

min(V(s)) = min({min(Y(@)) \ s -^-> 0}) 

> mm({mtn(V(Ae)) | s 6}) 

> m»n({m*n(V(A)) | s -^-> 6}) (by (1431) ) 
= mm(V(A)) . 

• If s that is s Act "/> , then there is some A' such that A ^ u A' and A' Act "/> ■ By 
the definition of V, mm(Y(A')) = 0. Using (|4.5p . we have mm(V(A)) < mm(V(A')), so 
mm(V(A)) = as well. Thus, also in this case min(V(s)) > mm(V(A)). □ 

Theorem 4.11. 7/P C FS Q i/ien P E pmU st Q- 

Proof. Similar to the proof of Theorem 14.71 using (|4.4p - (|4.6p . □ 
The next four sections are devoted to proving the converse of Theorems 14.71 and 14.111 



5. State- versus action-based testing 

Much work on testing [61 [4"1| [8] uses success states marked by outgoing w-actions; this is 
referred to as state-based testing, which we have used in Section [3] to define the preorders 
Emay an d Emust- Li other work [37\ UOj . however, it is the actual execution of oj that 
constitutes success. This action-based approach is formalised as in the state-based approach, 
via a modified results-gathering function: 

V( 5 ) := (U{V(A) | s ^AAa^u;}U{l| S ^} if 

I {0} otherwise 

As in the original V, the a's are non-success actions, including r; and again, this is done 
for generality, since in testing outcomes the only non-success action is r. 

If we use this results-gathering function rather than V in Definitions 13.11 and 13.21 we 
obtain the two slightly different testing preorders, E pmay and Epmust- The following propo- 
sition shows that state-based testing is at least as discriminating as action-based testing: 
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Proposition 5.1. 

(1) U P Epmay Q then P Epmay Q- 

(2) If P E pmust Q then P E pmust Q. 

Proof. For any action-based test T we construct a state-based test T by replacing each 
subterm uj.Q by t.u; then we have V[T | Act P] = V[T [Act -P] for all pCSP processes P. □ 

Proposition 15.11 enables us to reduce our main goal, the converse of Theorems 14.71 and 14, 1 11 
to the following property. 

Theorem 5.2. 

(1) If P C pmay Q then P C 5 Q. 

(2) //P C pmust Q then P Q FS Q. 

We set the proof of this theorem as our goal in the next three sections. 

Once we have obtained this theorem, it follows that in our framework of finite proba- 
bilistic processes the state-based and action-based testing preorders coincide. This result 
no longer holds in the presence of divergence, at least for must-testing. 

Example 5.3. Suppose we extend our syntax with a state-based process n, to model 
divergence, and the operational semantics of Figure [T] with the rule 

n n. 

It is possible to extend the results-gathering functions V and V to these infinite processes, 
although the definitions are no longer inductive (cf. Definition 5 of [10] or Definition IA.3I of 
the appendix). In this extended setting we will have a.n ^pmust n because of the test 

a ' UJ: V([a.w | Act a.n}) = {1} while V([a.w | Act a.n n 0]) = {0, 1}. 

This intuitively is due to the fact that the O-encoded divergence of the left-hand process 
occurs only after the first action a; and since the left-hand process cannot deadlock before 
that action, relation Emust would prevent the right-hand process from doing so. 

However, a peculiarity of action-based testing is that success actions can be indefinitely 
inhibited by infinite r-branches. We have 

V([a.w | Act a.n]) = V([o.w | Act a.n n 0]) = {0, 1}. 

Indeed no test can be found to distinguish them, and so one can show a.n Q pmust a.n n 0. 

Note that probabilistic behaviour plays no role in this counter-example. In CSP (without 
probabilities) there is no difference between C may and C may , whereas Emust is strictly less 
discriminating than C must . For finitely branching processes, the CSP refinement preorder 
based on failures and diverg ences [2" 1 1171 134] coincides with the state-based relation C mus ^. 

6. Vector-based testing 

This section describes another variation on testing, a richer testing framework due to Segala 
[37] . in which countably many success actions exist: the application of a test to a process 
yields a set of vectors over the real numbers, rather than a set of scalars. The resulting 
action-based testing preorders will serve as a stepping stone in proving Theorem 15.21 

Let n be a set of fresh success actions with n n Act T = 0. An O-test is again a pCSP 
process, but this time allowing subterms lo.P for any w£fi. Applying such a test to a 
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process yields a non-empty set of test outcome- tuples A Q (T, P) C [0, l] n . As with standard 
scalar testing, each outcome arises from a resolution of the nondeterministic choices in 
T l^ct P- However, here an outcome is a tuple and its cu-component gives the probability 
that this resolution will perform the success action uj. 

For vector-based testing we again inductively define a results-gathering function, but 
first we require some auxiliary notation. For any action a define al : [0, l] n — > [0, l} n by 



a\o(to) 



1 if uj=a 
o{oo) otherwise 

so that if a is a success action, in Q, then al updates the tuple to 1 at that point, leaving it 
unchanged otherwise, and when a Q the function al is the identity. These functions lift 
to sets O C [0, l] n as usual, via alO := {alo | oG O}. 
Next, for any set X define its convex closure \X by 

\X :={EielPi°i I ando:/^ A} . 

Here, as usual, / is assumed to be a finite index set. Finally, € [0, l] n is given by 0(a;) = 
for all w6H. Let pCSP^ be the set of Jl-tests, and sCSP^ the set of state-based Jl-tests. 

Definition 6.1. The action-based, vector-based, convex-closed results-gathering function 
: sCSP n -> y + ([0, l} n ) is given by 

9n (a):= /tU{«l(V?(A)) | ^A, aenuAct,} if s 
1 1 {0} otherwise 

As with our previous results-gathering functions V and V, this function extends to the type 
P(sCSP n ) -» T+([0, l] n ) via the convention Vp(A) := Exp A V^. 
For any pCSP process P and O-test T, let 

Af(T,P) := Yf[T\ Act Pj . 

The vector-based may- and must preorders are given by 

P ^pm^y Q iff for all n-tests T: Af(T, P) < Ho A^(T, Q) 
P ^ must Q iff for all n-tests T: Af(T, P) < Sm Af(T, Q) 

where <h and <s m are the Hoare- and Smyth preorders on CP + [0, 1] generated from < 
index-wise on [0, if itself. 

We will explain the role of convex-closure J in this definition. Let be defined as V^ 2 
above, but omitting the use of J. It is easy to see that Yf(s) = |¥ n (s) for all s £ sCSP n . 

Applying convex closure to subsets of the one-dimensional interval [0, 1] (such as arise 
from applying scalar tests to processes) has no effect on the Hoare and Smyth orders between 
these subsets: 

Lemma 6.2. Suppose X, Y C [0, 1]. Then 

(1) X < Ho Y if and only if \X < Ho 1^- 

(2) X < Sm Y if and only if \X < Sm \Y . 

Proof. We restrict attention to (1); the proof of (2) goes likewise. It suffices to show that 
(i) X <Ho \X and (ii) \X <h X. We only prove (ii) since (i) is obvious. Suppose x G \X, 
then x = J2ieiPi x i f° r a finite set / with YlieiPi = ^ and x« G X. Let x* = max{xi | i G /}. 
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Then _^ 

x = ^^PiXi < ~^2piX* = x* € X. □ 

iel iei 

It follows that for scalar testing it makes no difference whether convex closure is employed 
or not. Vector-based testing, as proposed in Definition 16.11 is a conservative extension of 
action-based testing, as described in Section [SJ 

Corollary 6.3. Suppose £1 is the singleton set {to}. Then 

(1) P Ep may Q if and only if P C pmay Q. 

(2) P Ep must Q if and only if P £ pmust Q. 

Proof. Vj 2 = |V fi = |V when f2 is {w}, so the result follows from Lemma 16.21 □ 

Lemma f6 . 21 does not generalise to [0, l] k , when k > 1, as the following example demonstrates: 

Example 6.4. Let X, Y denote {(0.5,0.5)}, {(1,0), (0, 1)} respectively. Then it is easy to 
show that \X <h \Y although obviously X ^Ho Y . 

This example can be exploited to show that for vector-based testing it does make a difference 
whether convex closure is employed. 

Example 6.5. Consider the two processes 

P:=ai®b and Q := a n b . 

Take = {wi,^}- Employing the results-gathering function Y n , without convex closure, 
with the test T := a.uj\ □ we obtain 

A n {T,P) = {(0.5,0.5)} 

A n (T,Q) = {(1,0), (0,1)} . 

As pointed out in Example 16.41 this entails A n (T, P) ^Ho A^(T, Q), although their convex 
closures Af(T,P) and Af(T,Q) are related under the Hoare preorder. 

Convex closure is a uniform way of ensuring that internal choice can simulate an arbitrary 
probabilistic choice [14] . For the processes P and Q of Example 16.51 it is obvious that 
P Qs Q, an d from Theorem 14.71 it therefore follows that P E pma y Q- This fits with the 
intuition that a probabilistic choice is an acceptable implementation of a nondeterministic 
choice occurring in a specification. Considering that we use Ep may as a stepping stone in 

showing the coincidence of and E P may> we must have P Ep may Q- For this reason we 
use convex closure in Definition 16.11 

In [10] the results-gathering function V^ 2 with Q = {oj\,U2, • • • } was called simply W 
(because action-based/vector-based/convex-closed testing was assumed there throughout, 
making the ^-indicators superfluous); and it was defined in terms of a formalisation of 
the notion of a resolution. As we show in Proposition IA.6I of the appendix, the inductive 
Definition [6J] above yields the same results. In the present paper our interest in vector-based 
testing stems from the following result. 

Theorem 6.6. 



(1) P^ m&y QiffPQ„Q 

(2) Pt^QiffPt^Q- 
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Proof. In |1Q|, Theorem 3] this theorem has been established for versions of Ep may and 
—pmust w bere tests are finite probabilistic automata, as defined in our Appendix [Aj The 
key argument is that when P Epmay Q can be refuted by means of a vector-based test T, 
then P E pmay Q can be refuted by means of a scalar test T||[7, where U is administrative 
code which collates the vector of results produced by T and effectively renders them as a 
unique scalar result, and similarly for Ep must . This theorem applies to our setting as well, 
due to the observation that if a test T can be represented as a pCSP^-expression, then so 
can the test T\\U . □ 

Because of Theorem 16.61 in order to establish Theorem 15.21 it will suffice to show that 



(1) P Ep may Q implies P Qs Q and 

(2) P ££ must Q implies P Q FS Q. 

This shift from scalar testing to vector-based testing is motivated by the fact that the latter 
enables us to use more informative tests, allowing us to discover more intensional properties 
of the processes being tested. 

The crucial characteristics of Af 1 needed for the above implications are summarised in 
Lemmas 16.71 and 16.81 For convenience of presentation, we write uj for the vector in [0, 1]^ 
defined by uj(uj) = 1 and u(uj ) = for uj' ^ uj. Sometimes we treat a distribution A of 
finite support as the pCSP expression © se r^-i A(s)-s, so that Af(T,A) := Exp A „4^(T, _). 

Lemma 6.7. Let P be a pCSP process, and T,Ti be tests. 

(1) oEA$(uj,P) iffo = u. 

(2) OeAf(UaeX^P) ^3A:[P]=^A *4. 

(3) Suppose the action uj does not occur in the test T. Then o G Af(uj □ a.T, P) with 
o(uj) = iff there is a A G P(sCSP) with [P] =^> A and o G Af(T, A). 

(4) o G Afi® i€lPi -T h P)iffo = EielPi°i f° r some °i e ^(T t , P). 

(5) o G Af(\~] i€l Ti,P) if for all i£l there are % G [0, 1] and AjG£>(sCSP) such that 
Y, ieI Qi = 1, [P] Eie/ Qi • A i and = Eie/ Qi°i f or some °% 6 ^i( T ^ A ;)- 

Proof. Straightforward, by induction on the structure of P. □ 

The converse of Lemma [6.71 (5) also holds, as the following lemma says. However, the proof 
is less straightforward. 

Lemma 6.8. Let P be a pCSP process, and be tests. If o G Af(\~~\ ieI Ti, P) then for all 
i£ I there are qi G [0, 1] and Aj GjD(sCSP) with ^2 ieI qi = 1 such that [P] =^=> Yliel 1' L ' ^ 
and o = qm for some Oi G Af(Ti, A*). 

Proof. Given that the states of our pLTS are sCSP expressions, there exists a well-founded 
order on the combination of states in sCSP and distributions in P(sCSP), such that s A 
implies that s is larger than A, and any distribution is larger than the states in its support. 
Intuitively, this order corresponds to the usual order on natural numbers if we graphically 
depict a pLTS as a finite tree (cf. Section [2]) and assign to each node a number to indicate 
its level in the tree. Let T = \~\ i&I Ti. We prove the following two claims 

(a) If s is a state-based process and o G Af(T, s) then there are some {qi}i^j with Y^iei 9i = 
1 such that s Y^iei H ' ° = Eiel 9i°U and °i e ^i( T i> Aj). 

(b) If A G P(sCSP) and o G A9 (T, A) then there are some {qi}i£i with qi = 1 such 
that A =^> J2i € i qi - \, o = Y^ i€ i QiOi, and Oj G Af(Ti, A*). 
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by simultaneous induction on the order mentioned above, applied to s and A. 

(a) We have two sub-cases depending on whether s can make an initial T-move or not. 

• If s cannot make a r-move, that is s -^4, then the only possible moves from T|Act s are 
T-moves originating in T; T has no non-r moves, and any non-r moves that might be 
possible for s on its own are inhibited by the alphabet Act of the composition. Suppose 
o G A^(T,s). Then by definit ion (j6.ip there are some {qi}iei with YlieiQi = 1 
such that o = ^ig/ 1 i0i 

and Oi G Af(T h s) = Af(Ti,s). Obviously we also have 

H EiG/ ffi ■ ? - 

• If s can make one or more T-moves, then we have s — ^ A'- for j G J, where without 
loss of generality J can be assumed to be a non-empty finite set disjoint from i", 
the index set for T. The possible first moves for T |Act s are r-moves either of T 
or of s, because T cannot make initial non-r moves and that prevents a proper 
synchronisation from occurring on the first step. Suppose that o G A¥ (T, s). Then 
by definition (|6,ip there are some {pk}keiuJ with YlkeinjPk = 1 an< ^ 

keiuJ 

o- G Af(Ti, s) for all s G I (6.3) 
o'j G A%(T, Aj) for all j G J. (6.4) 
For each j G J, we know by the induction hypothesis that 

A} -• ^ /'// • A' , (6.5) 

iG/ 

c ;, g^(t,,a;,) (6.7) 

for some {pjijiei with YjiaiPji = 1 - Let 

qi=Pi + ^PjPji 



Ai = — (pi • s + ^PjPji ■ A'^) 
-(Pi i + J2PjPji 'j 



. - ^ • — ^ 



for each i E I, except that Aj and o% are chosen arbitrarily in case qi = 0. It 
can be checked by arithmetic that gj,Aj,Oj have the required properties, viz. that 
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Yjiai Qi = 1j that o = Y^iei 9*°* and that 

==$■ ^^Pi • 3 + y^Pj • y^Pji • by (|6.5p and Lemma ETT1 

= E qi ' Ai ■ 



16/ 

7T2/ 



Finally, it follows from ([63]) and ([621) tnat °i G A" (Tj, A;) for each i G I. 
(b) Let [A] = {sjljgj and Tj = A(sj). W.l.o.g. we may assume that J is a non-empty 
finite set disjoint from I. Using that Af(X^A) := Exp A Af(T, _), if o G .Af (T, A) then 

;- eif(T, Sj ) (6.9) 
For each j € J, we know by the induction hypothesis that 

s s ; >^,/ ;( .A}, (6.10) 

iei 

Y^'U^'j, (6.11) 

iei 

o;,G^(T,,A;,) (6.12) 
for some {qji}iei with YlieiQji = 1- Thus let 

9* = E W 

A, = -J]w^ 

9t ieJ 



1 \- 

°i - ''j'lj' ;,, 



again choosing Aj and Oj arbitrarily in case % = 0. As in the first case, it can be shown 
by arithmetic that the collection n, Aj,Oj has the required properties. □ 



7. Modal logic 

In this section we present logical characterisations C £ and of our testing preorders. 
Besides their intrinsic interest, these logical preorders also serves as a stepping stone in 
proving Theorem 15. 21 In this section we show that the logical preorders are sound w.r.t. 
the simulation and failure simulation preorders, and hence w.r.t. the testing preorders; in 
the next section we establish completeness. To start, we define a set J- of modal formulae, 
inductively, as follows: 

• ref (X) G T when X C Act, 

• {a) tp £ J 7 when tp G T and a G Act, 

• AiG/ fi £ F when (fiGJ 7 for all i G I, with / finite, 
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• and ©jg/Pi • Pi G T when pi g[0, 1] and ipi G P for all iE I, with / a finite index set, and 
J2ieiPi = L 

We often write <pi A <p 2 for Aie{l,2} P» and T for A«e0 

The satisfaction relation \= C P(sCSP) x P is given by: 

• A\= ref (A) iff there is a A' with A A' and A' 

• A |= (a)ip iff there is a A' with A A' and A' |= ip, 

• A |= A ie / ¥>i iff ^ 1= <Pi f° r all i G / 

• and A |= Q) ieI Pi • <p% iff there are Aj G P(sCSP), for all i G I, with A, |= <^j, such that 

Let £ be the subclass of P obtained by skipping the ref(X) clause. We write P Q C Q just 
when [P] |= <p implies \Q\ \= tp for all p G £, and P just when [P] |= ip is implied by 

[Q] |= ^ for all G P. (Note the opposing directions.) 

In order to obtain the main result of this section, Theorem 17.41 we introduce the fol- 
lowing tool. 

Definition 7.1. The P- characteristic formula p s or p& of a process s G sCSP or A G P(sCSP) 
is defined inductively: 

• p s := /\ s ^ A (a)p A A ref({a | s -^4}) if s -^A, 

• := /\ s _a^ A {a)<pA A As^A otherwise, 

• := ser Al A ( s ) ' W 

Here the conjunctions A s -^->A ran g e over suitable pairs a, A, and As-^a ran g es over 
suitable A. The C- characteristic formulae ip s and ipA are defined likewise, but omitting the 
conjuncts ref({a | s -^A}). 

Write tp ^ i\) with </?, ^ G P if for each distribution A one has A |= ip implies A |= t/j. Then 
it is easy to see that (p$ ^> p s and /\ ie j *Pi ^ f° r an y 2 G I; furthermore, the following 
property can be established by an easy inductive proof. 

Lemma 7.2. For any A G P(sCSP) we have A |= pa, as well as A \= iJja- □ 
It and the following lemma help to establish Theorem 17. 4[ 

Lemma 7.3. For any processes P, Q G pCSP we have that [P] |= <Piqi implies P Qfs Q, 
and likewise that [Q] \= ifripj implies P Qs Q- 

Proof. To establish the first statement, we define the relation P by s P iff \= p s ', to 
show that it is a failure simulation we first prove the following technical result: 

(= p A implies 30' : =U 0' A A P 0'. (7.1) 

Suppose \= pa with <pa = ©igj Pi ' > so that we have A = J2ie 1 P i ' an( ^ f° r a U 2 G I 
there are 0j GP(sCSP) with 0j |= p Si such that 0' with 0' := Yli&iPi ' ®i- Since 
Si P 0i for all i G / we have A P 0'. 

Now we show that P is a failure simulation. 

• Suppose s P and s — ^» A. Then from Definition 17.11 we have <p s ^ <p a, so that 
|= 9? A . Applying (fTTTj) gives us =^=> 0' with A P 0' for some 0'. 

• Suppose s P and s A with a G Act. Then ^ {a)pA, so (= (a)pA- Hence 30' 
with =^=> 0' and ©' |= ip A - Again apply ([7TTD . 

• Suppose s P and s -^4 with IC A Then <p s ^ ref(X), so |= ref(X). Hence 30' 
with 0^0' and 0' -fy. 
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Thus 1Z is indeed a failure simulation. By our assumption [P] |= </?|Q], using (|7.ip . there 
exists a 0' such that [P] 0' and [Q] 72- 0', which gives P Cps Q via Definition 14.31 

To establish the second statement, define the relation S by s S iff |= ip s ; exactly 
as above one obtains 

|= Va implies 30' : =U 0' A A S 0'. (7.2) 

Just as above it follows that S is a simulation. By the assumption [Q] (= yrpi, using (|7.2p . 
there exists a 0' such that [Q] =^=> 0' and [P] 5 0'. Hence P C s Q via Definition EE1 □ 

Theorem 7.4. 

(1) IfPQ c Q then P Q s Q- 

(2) IfPQ^Q then PQ FS Q. 

Proof. Suppose P C - ^ Q. By Lemma 17.21 we have [Q] |= <P\q\ and hence [P] |= P[Q\- 
Lemma I7T31 gives P Cps Q. 

For (1), assuming P we have [P] |= ^[p], hence [Q] |= ip[p\, and thus P Qs Q- D 



8. Characteristic tests 

Our final step towards Theorem l5.2l is taken in this section, where we show that every modal 
formula ip can be characterised by a vector-based test T<p with the property that any pCSP 
process satisfies <p just when it passes the test T v . 

Lemma 8.1. For every ip G T there exists a pair (T„, v^) with an VL-test and G [0, 1] , 
suchthat A^ip iff 3oeAf(T^,A): o<v v (8.1) 

for all A G P(sCSP), and in case ip G C we also have 

A |= <p iff 3o G J$(T V , A) : o>v v . (8.2) 
T<p is called a characteristic test of and ify, its target value. 

Proof. First of all note that if a pair (T^,^) satisfies the requirements above, then any 
pair obtained from (T^,, v^) by bijectively renaming the elements of Q also satisfies these 
requirements. Hence a characteristic test can always be chosen in such a way that there 
is a success action to G £1 that does not occur in (the finite) T„. Moreover, any countable 
collection of characteristic tests can be assumed to be Q-disjoint, meaning that no u G SI 
occurs in two different elements of the collection. 

The required characteristic tests and target values are obtained as follows. 

• Let ip = T. Take T„ := u for some u G 0,, and v v := u. 

• Let ip = ref (X) with X C Act. Take := [] ag x a,a; f° r som e w G fi, and := 0. 

• Let ip = (a)ip. By induction, ip has a characteristic test with target value tu. Take 
Tip '■= oj □ a.T^, where w G does not occur in T^, and v v := ify. 

• Let <p = /\ie/ ^ with / a finite and non-empty index set. Choose a O-disjoint family 
(Ti,Vi)i<=i of characteristic tests T{ with target values for each pi. Furthermore, let 
Pi G (0, 1] for i G I be chosen arbitrarily such that J2ieiPi = 1- Take := © ie /Pi-Pj 
and := ^2 ieI PiVi. 
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• Let p = © ig /Pi • tfi. Choose a ^-disjoint family (Ti,Vi)i^i of characteristic tests Tj with 
target values Vi for each pi , such that there are distinct success actions Ui for i G I that 
do not occur in any of those tests. Let T[ := Tj 1 © U{ and v\ := \vi + |u?j. Note that for 
alH 6 J also T[ is a characteristic test of p>i with target value v\. Take T^ := flie/ ^7 an d 

Note that Vm(uS) = whenever does not occur in T^,. By induction on <p we now check 

(j87ij) above. 

• Let </? = T. For all A G T>(sCSP) we have A (= 95 as well as 3o G ^(T^,, A) : o < t^, 
using Lemma [6.7l f 1). 

• Let 99 = ref(X) with X C Act. Suppose A |= Then there is a A' with A A' and 
A' -4 4 - By Lemma E3(2), G .Af (T v , A). 

Now suppose 3o G »4j (T^, A) : o < u^. This implies o = 0, so by Lemma I6771 f2) there is 
a A' with A ^ A' and A' -^4. Hence A |= tp. 

• Let (/? = {a)ip with a G Act. Suppose A |= <p. Then there is a A' with A ==^ A' and 
A' (= ^. By induction, 3o G JD^T/,, A') : o < -tfy. By Lemma E2f3), o€^(T v , A). 

Now suppose 3o G A? (T v , A) : o < 1^. This implies o(w) = 0, so by Lemma [6T7Y 3) there 
is a A' with A Jk- A' and o G Af(T^, A'). By induction, A' \=ip, so A|=(/j. 

• Let p> = Aigj V 7 * with I a finite and non-empty index set. Suppose A \= ip. Then A |= <pt 
for all i£ I, and hence, by induction, 3oj G Af (Tj,A) : Oj < t>j. Thus o := Yl,i&iPi i 
G Af (T^,, A) by Lemma [677^4), and < v 9 . ' 

Now suppose 3o G .4? (T^, A) : o < v v . Then, using Lemma I677T 4) . o = ^2 i& jPiOi for 
certain Oj G.45 2 (Tj, A). Note that (Tj)jg/ is an $7-disjoint family of tests. One has Oj < Vi 
for all for if Oi(u) > Vi(u>) for some i&I and then u> must occur in Tj and hence 

cannot occur in Tj for j 7^ z. This implies Vj(u) = for all j ^ i and thus 0(0;) > v^u), in 
contradiction with the assumption. By induction, A |= (pi for all iEl, and hence A |= (p. 

• Let p = ©j g /Pi ■ Suppose A |= (p. Then for all i£l there are Aj Gl>(sCSP) with 
Aj |= pi such that A Yli^iPi ' Ai- By induction, there are Oj G ./4.?(2i, Aj) with 
Oj < Vi. Hence, there are o- G Af (T/, Aj) with o- < « •. Thus o := Eie/Pi°i G Ai(T v , A) 
by Lemma 16. Tt 5) . and o <v v . 

Now suppose 3o G AP (T^, A) : o < u^. Then, by Lemma [6.81 there are q£T>(I) and 
Aj, for i G I, such that A =?4> Yliei ?» ' ^ an< ^ = Sie/ </i°i f° r some Oj G .4? (T/, Aj). 
Now Vz : Oj(cjj) = f-(aJj) = 5, so, using that (Tj)j g j is an f2-disjoint family of tests, 
|?i = Qio'iiuJi) = o{tOi) < Vtpiui) = Piv'^Ui) = \pi. As ^2 iEl qi = Y^iaiPi = 1> it; must be 
that % = pi for all i G I. Exactly as in the previous case one obtains o\ < v[ for all iEl. 
Given that T[ = Tj 1© u> i: using Lemma [6T71 f4) . it must be that d = \o{ + \ Ji for some 
Oj G Af(Ti, Aj) with Oj < Vi. By induction, Aj |= ipi for all i G I, and hence A (= (/p. 
In case y?G£, the formula cannot be of the form ref(X). Then a straightforward in- 
duction yields that XLen v <p( u ) = 1 an( ^ an AGP(pCSP) and o€A¥(Ttp,A) we have 
^ weS j o{uj) = 1. Therefore, o < v v iff o > iff o = u^, yielding (|8.2p . □ 

Theorem 8.2. 

(1) //PC^QitaP^Q. 

(2) J/PELQtbPC^. 
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P 


(E2) 


PDQ = 


QDP 


(E3) 


(P □ Q) □ P = 


P □ (Q □ P) 


(EI) 


a.PDa.Q = 


a.P n a.Q 


(Dl) 


pn(Q p eP) = 


(PDQ) p (POP) 


(D2) 


a.P □ (Q n P) = 


(a.P □ Q) n (a.P □ P) 


(D3) 


(Pi n p 2 ) □ (Qi n Q 2 ) = 


(Pi □ (Qi n Q 2 )) n (P 2 □ (Qi n Q 2 )) 



n ((Pi n P 2 ) □ Qi) n ((Pi n P 2 ) □ Q 2 ) 



Figure 4: Common equations 

Proof. Suppose P Ep must Q an d [Q] \= <p for some ipGJ 7 . Let be a characteristic test of 

ip with target value v v . Then Lemma [8TT1 yields 3o G A^{T V , \Q\) ■ o < v v , and hence, given 

that P Ep mus t Q and ^(T^, [P]) = Af(T v , R) for any P G pCSP, by the Smyth preorder 

we have 3o' G ^(T^, [P]) : of < v v . Thus [P] |= if. 

The may-case goes likewise, via the Hoare preorder. □ 

Combining Theorems 16.61 18.21 and 17.44 we obtain Theorem 15.21 the goal we set ourselves in 
Section [5j Thus, with Theorems 14.71 and 14.111 and Proposition 15.11 we have shown that the 
may preorder coincides with simulation and that the must preorder coincides with failure 
simulation. These results also imply the converse of both statements in Theorem 18.21 and 
thus that the logics £ and T give logical characterisations of the simulation and failure 
simulation preorders Qs and ^fs- D 



9. EQUATIONAL THEORIES 

Having settled the problem of characterising the may preorder in terms of simulation, and 
the must preorder in terms of failure simulation, we now turn to complete axiomatisations 
of the preorders. 

In order to focus on the essentials we consider just those pCSP processes that do not use 
the parallel operator \a; we call the resulting sub-language nCSP. For a brief discussion of 
the axiomatisation for terms involving \a and the other parallel operators commonly used 
in CSP see Section [121 

Let us write P =e Q for equivalences that can be derived using the equations given 
in Figured! Given the way we defined the syntax of pCSP, axiom (Dl) is merely a case 
of abbreviation-expansion; thanks to (Dl) there is no need for (meta-)variables ranging 
over the sub-sort of state-based processes anywhere in the axioms. Many of the standard 
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equations for CSP |17j are missing; they are not sound for ~fs- Typical examples include: 

a.(P n Q) = a.P n a.Q 
P = PUP 
PU{QnR) = (PUQ)n{PUR) 

P n (Q □ R) = (P n Q) □ (P n R) 

For a detailed discussion of the standard equations for CSP in the presence of probabilistic 
processes see Section 4 of [SJ. 

Proposition 9.1. Suppose P =e Q- Then P —fs Q- 

Proof. Because of Proposition 14,61 that Qfs is a precongruence, it is sufficient to exhibit 
witness failure simulations for the axioms in Figure HI These are exactly the same as 
the witness simulations for the same axioms, given in [8]. The only axiom for which it 
is nontrivial to check that these simulations are in fact failure simulations is (EI). That 
axiom, as stated in [8], is unsound here; it will return in the next section as (MayO). But 
the special case of a = b yields the axiom (EI) above, and then the witness simulation from 
[8] is a failure simulation indeed. □ 

As ~5 is a less discriminating equivalence than ~fs it follows that P =e Q implies P ~g Q. 

This equational theory allows us to reduce terms to a form in which the external choice 
operator is applied to prefix terms only. 

Definition 9.2 (Normal forms). The set of normal forms N is given by the following 
grammar: 

N::=N lp eN 2 \ N x n N 2 \ 

Proposition 9.3. For every P S nCSP there is a normal form N such that P =e N. 

Proof. A fairly straightforward induction, heavily relying on (D1)-(D3). □ 

We can also show that the axioms (P1)-(P3) and (Dl) are in some sense all that are 
required to reason about probabilistic choice. Let P — prob 

Q denote that equivalence of P 
and Q can be derived using those axioms alone. Then we have the following property. 

Lemma 9.4. Let P,Q £ nCSP. Then [Pj = [Q] implies P = prob Q. 

Here [P] = [Q] says that [P] and [Q] are the very same distributions of state-based pro- 
cesses in sCSP; this is a much stronger prerequisite than P and Q being testing equivalent. 

Proof. The axioms (P1)-(P3) and (Dl) essentially allow any processes to be written in 
the unique form @i G jPiSi, where the S{ E sCSP are all different. □ 
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May: 

(MayO) a.PUb.Q = a.PUb.Q 

(Mayl) P E PHQ 

(May2) E P 

(May3) a.(P p © Q) E a.P p © a.Q 

(Musti) PnQ E Q 

(Must2) fln|~|0p i -(a i .Q <j rD^) E □ «i- 0Pi'Q«, 

provided inits(R) C {aj}jg/ 



Figure 5: Inequations 



10. INEQUATIONAL THEORIES 

In order to characterise the simulation preorders, and the associated testing preorders, we 
introduce inequations. We write P E.E may Q when P C Q is derivable from the inequational 
theory obtained by adding the four may inequations in Figure [5] to the equations in Figured! 
The first three additions, (MayO)-(May2), are used in the standard testing theory of CSP 
|17l l6j [15]. For the must case, in addition to the standard inequation (Mustl), we require 
an inequational schema, (Must 2); this uses the notation inits(P) to denote the (finite) set 
of initial actions of P. Formally, 

inits(0) = 
inits(a.P) = {a} 
inits(P p© Q) = inits(P) U inits(Q) 
inits(P □ Q) = inits(P) U inits(Q) 
inits(P n Q) = {t} 

The axiom (Must2) can equivalently be formulated as follows: 

Q a k i-Ru n |~~| 0Pj-(oi-Qii U p ij) E []oi- 0Pj-Qij, 

keK £eL k ieijeJi iei jeJ, 

provided {o^ | & £ if, ^ £ -ftTfc} C {aj | « € J} . 

This is the case because a term R satisfies inits(R) C {aj}j e / iff it can be converted into 
the form [] a M .R M by means of axioms (Dl), (P1)-(P3) and (E1)-(E3) of Figured 

keKl€L k 

This axiom can also be reformulated in an equivalent but more semantic style: 
(Must2') Rn[} ieI Pi E Q ieI a i .Qi, 

provided [Pj ^ IQi] and [P] ^4 with X = Act\{ai} ie/ . 

This is the case because [P] -^-> [Q] iff, up to the axioms in Figure HI P has the form 
®jeJ Pj'( a -Qj -fj') an d Q has the form a. j^jPj'Qj f° r certain Pj, and pj, for j G J. 
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Note that (Must2) can be used, together with (II), to derive the dual of (May3) via 
the following inference: 

a.P v @ a.Q = E (a.P p ® a.Q) n (a.P p a.Q) 
EB mu8t a.(P p ®Q) 

where we write P E_E must Q when P C Q is derivable from the resulting inequational theory. 
An important inequation that follows from (Mayl) and (PI) is 

(May4) P p ® Q C Emay PnQ 

saying that any probabilistic choice can be simulated by an internal choice. It is derived as 
follows: 

P V ®Q E Smay (PnQ) p e (PnQ) 
=e (P n Q) 

Likewise, we have 

PnQ r Einust p p ®Q. 

Theorem 10.1. For P, Q in nCSP, it holds that 

(i) P Qs Q if and only if P Es may Q 

(ii) P Q FS Q if and only if P E^ must Q- 

Proof. For one direction it is sufficient to check that the inequations, and the inequational 
schema in Figure [5] are sound. For Q$ this has been done in [8], and the soundness of 
(Mustl) and (Must 2') for Qfs is trivial. The converse, completeness, is established in the 
next section. □ 



11. Completeness 

The completeness proof of Theorem 110.11 depends on the following variation on the Deriv- 
ative lemma of |3U| : 

Lemma 11.1 (Derivative lemma). Let P, Q G nCSP. 

(i) If [P] =U IQ] then P C Bmust Q and Q H Emay P. 

(ii) // [PJ =^ IQ] then a.Q C Bmay P. 

Proof. The proof of (i) proceeds in four stages. We only deal with C_E may , as the proof for 
!=_E must is entirely analogous. 

First we show by structural induction on s 6 sCSP n nCSP that s — ^ [Q] implies 
Q E.E may s. So suppose s IQ]. In case s has the form Pi n P2 it follows by the 
operational semantics of pCSP that Q = P\ or Q = Pi- Hence Q EB may s by (Mayl). 
The only other possibility is that s has the form si □ s 2 - In that case there must be a 
distribution A such that either si A and [Q] = A □ S2, or s 2 — ^ A and [Q] = s± □ A. 
Using symmetry, we may restrict attention to the first case. Let R be a term such that 
[R] = A. Then [R □ s 2 ] = A □ s 2 = [Q], so Lemma El yields Q = prob P □ s 2 . By 
induction we have R E_E may si, hence RO s 2 E_B may «i □ S2, and thus Q E£ may s. 

Now we show that s \Q] implies Q E B s. This follows because s [Q] means 
that either s [Q] or [Q] = s, and in the latter case Lemma 19.41 yields Q — prob s. 

Next we show that [P] [Qj implies Q C Bmay P. So suppose [P] [Q], that is 

IP} = E Pi ■ * S ^ IQH 13] = £ P< • IQH 
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for some I, pi G (0, 1], Sj G sCSP n nCSP and Qi G nCSP. Now 

(1) [P] = [0 ieJ Pi-Si]. By LemmaElwe have P = prob ie7 £>j-s;- 

( 2 ) IQ] = [0» e /Pi-Qi]- Again Lemma El yields Q = prob ® ieI PvQi- 

(3) Si [Qij implies Q< C Bmay s;. Therefore, ie/ PrQi Es may ie/ K-Si- 
Combining (1), (2) and (3) we obtain Q Ee may P- 

Finally, the general case, when [P] — A, is now a simple inductive argument on the 
length of the derivation. 

The proof of (ii) is similar: first we treat the case when s -^-> [Q] by structural induc- 
tion, using (May2); then the case [P] [Q], exactly as above; and finally use part (i) to 
derive the general case. □ 

The completeness result now follows from the following two propositions. 

Proposition 11.2. Let P and Q be in nCSP. Then P Qs Q implies P EE may Q- 

Proof. The proof is by structural induction on P and Q, and we may assume that both P 
and Q are in normal form because of Proposition 19.31 So take P, Q G pCSP and suppose 
the claim has been established for all subterms P' of P and Q' of Q, of which at least one 
of the two is a strict subterm. We start by proving that if P G sCSP then we have 

P<slQ] implies PE^Q- (11.1) 

There are two cases to consider. 

(1) P has the form Pi n ?2- Since Pj C B P we know Pj Cs P Qs Q- We use induction 
to obtain Pj E_E may Q, from which the result follows using (II). 

(2) P has the form []ie/ a * - -P - ^ ^ contains two or more elements then P may also be 
written as aj.Pj, using (MayO) and (D2), and we may proceed as in case (1) 
above. If / is empty, that is P is 0, then we can use (May2). So we are left with 
the possibility that P is a.P'. Thus suppose that a.P' < s {Qj. We proceed by a case 
analysis on the structure of Q. 

• Q is a.Q'. We know from a.P' <l s {a.Q'j that {P'j <^ 9 for some 9 with [Q'j 9, 
thus P' Q' . Therefore, we have P' E# Q' by induction. It follows that 

/.,„. "■(/■ 

• Q is Dje/^'-Qi w ith & t least two elements in J. We use (MayO) and then proceed 
as in the next case. 

• Q is Qi n Q 2 . We know from a.P' < s \Q\ n Q 2 ] that [P'J <^ 9 for some 9 such 
that one of the following two conditions holds 

(a) [Qi] 9 for i = 1 or 2. In this case, a.P' <\ s [Qi], hence a.P' Qs Qi- By 
induction we have a.P' Ee ma Qi', then we apply (Mayl). 

(b) [Qi] ^9iand[Q 2 ] 9 2 such that 6 = p-@i + (1-p) e 2 for some p G (0,1). 
Let 9j = [Q^] for i = 1,2. By the Derivative Lemma, we have a.Q^ EE may Qi arid 
a.Q' 2 Ei? may Q2- Clearly, \Q' X p © Q' 2 ] = 9, thus P' Q s Q'i P ® Q' 2 - By induction, 
we infer that P' C Bmay Q' lp ® Q' 2 . So 

a.P' Ei? may a.(Q' lp ©Qy 

Ei? may a.Q' lv ®a.Q' 2 (May3) 

Ei? may Qi P ©Q 2 

Ei? may Qi n Q 2 (May4) 
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• Q is Qi p ® Q 2 . We know from a.P' < s [Qi p ® Q 2 ] that [P'] < s for some 9 
such that [Qi p ® Q2} ©■ From Lemma |4. II we know that must take the form 
p- [Qi] + (1 -p) ■ [Q' 2 J, where [Q;] [Q'J for i = 1,2. Hence P' C s Q' lP ® Q 2 , and 
by induction we get P' E_e may Q'i P ® Then we can derive a.P' QE may Qi P ® Q 2 as 
in the previous case. 

Now we use (lll.lj) to show that P Q implies P C B Q. Suppose P C 5 Q. Ap- 
plying Definition 14.31 with the understanding that any distribution G D(sCSP) can be 
written as [Q'j for some Q'G pCSP, this means that [P] <nj [Q'J for some [Q] ^ {Q'j. 
The Derivative Lemma yields Q' E_B may Q- So it suffices to show P E_E may Q'- We know 
that [P] <^ {Q'j means that 

[P] = ^r fc -^ i fc < s [Q' fc ] [Q'] = ^r F ffl 

for some K, r k G (0, 1], t k G sCSP and Q' fe G pCSP. Now 

(!) = l®keK r k- t k]- % LemmaElwe have P = prob fceX - r fc -t fc . 

(2) {Q'j = l® k GK r k-Q' k ]- Again Lemma [O] yields Q< = prob © fce ^r fc -Q' fc . 

(3) t fc < s [Q'J implies t fc Es may Q' fc by (TllJJ). Therefore, ® heK r k -t k C Smay fcgA - r fc -Q' fc . 
Combining (1), (2) and (3) we obtain P E£ may Q', hence P E£ may Q. □ 

Proposition 11.3. Lei P and Q 6e in nCSP. Then P ^fs Q implies P QE must Q- 

Proof. Similar to the proof of Proposition 111.21 but using a reversed orientation of the 
preorders. The only real difference is the case (2), which we consider now. So assume 
Q <\ FS [P], where Q has the form G iG j Oi-Qi- Let X be any set of actions such that 
Xn{ai} ieI = 0; then Q g/ a;.Q; -^4. Therefore, there exists a P' such that [P] ^ [P'J -^4. 
By the Derivative lemma, 

^^ must P' (11.2) 

Since Qejai-Qi [Qi], there exist P,P/,P/' such that [P] ^ [Pi] ^> [P/] ^ [P/'J 
and [Qd^IPf]. Now 

L Bmust ^ Ut-3j 

using the Derivative lemma, and P[ ^fs Qi, by Definition 14.31 By induction, we have 
P/ C £must Qi, hence 

□ a,.P/^ must Qa 4 .Q 4 (11.4) 

The desired result is now obtained as follows: 

P Q Emust P' □ |~| Pi by (II), 0H2D and (H3J) 

ieJ 

E/Wt □a.P/ by(Must2') 

i6/ 

E/? must Gai.Qi by (HOD □ 

16/ 

Propositions 111.21 and 111.31 give us the completeness result stated in Theorem llO.li 
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12. Conclusions and related work 



In this paper we continued our previous work [8j [TO] in our quest for a testing theory for 
processes which exhibit both nondeterministic and probabilistic behaviour. We have studied 
three different aspects of may- and must testing preorders for finite processes: (i) we have 
shown that the may preorder can be characterised as a co-inductive simulation relation, and 
the must preorder as a failure simulation relation; (ii) we have given a characterisation of 
both preorders in a finitary modal logic; and (iii) we have also provided complete axioma- 
tisations for both preorders over a probabilistic version of recursion-free CSP. Although we 
omitted our parallel operator \a from the axiomatisations, it and similar CSP and CCS- 
like parallel operators can be handled using standard techniques, in the must case at the 
expense of introducing auxiliary operators. In future work we hope to extend these results 
to recursive processes. 

We believe these results, in each of the three areas, to be novel, although a number of 
partial results along similar lines exist in the literature. These are detailed below. 

Related work: Early additions of probability to CSP include work by Lowe [28], Seidel 
|39j and Morgan et al. [32]; but all of them were forced to make compromises of some 
kind in order to address the potentially complicated interactions between the three forms of 
choice. The last [32] for example applied the Jones/Plotkin probabilistic powerdomain [TO] 
directly to the failures model of CSP [2], the resulting compromise being that probability 
distributed outwards through all other operators; one controversial result of that was that 
internal choice was no longer idempotent, and that it was "clairvoyant" in the sense that it 
could adapt to probabilistic-choice outcomes that had not yet occurred. Mislove addressed 
this problem in [31] by presenting a denotational model in which internal choice distributed 
outwards through probabilistic choice. However, the distributivities of both [32j and [31] 
constitute identifications that cannot be justified by our testing approach; see [8j. 

In Jou and Smolka [21], as in [28J [39], probabilistic equivalences based on traces, failures 
and readies are defined. These equivalences are coarser than ~ pma y For example, the 
two processes in Example 12.21 cannot be distinguished by the equivalences of [24"l [28"1 [39] . 
However, we can tell them apart by the test given in Example 13.31 

Probabilistic extensions of testing equivalences [6] have been widely studied. There 
are two different proposals on how to include probabilistic choice: (i) a test should be non- 
probabilistic, that is there is no occurrence of probabilistic choice in a test [2"T [ |4"1 [20 ], [26 | [TO] : 
or (ii) a test can be probabilistic, that is probabilistic choice may occur in tests as well as 
processes [5j HH [33] [22j [371 1231 [3]. This paper adopts the second approach. 

Some work [27[ 01 [33] does not consider nondeterminism but deals exclusively with 
fully probabilistic processes. In this setting a process passes a test with a unique probability 
instead of a set of probabilities, and testing preorders in the style of [6] have been char- 
acterised in terms of probabilistic traces [5] and probabilistic acceptance trees [33J. Cazorla 
et al. [3] extended the results of [33] with nondeterminism, but suffered from the same 
problems as [32]. 

The work most closely related to ours is [22, 23J. In [22] Jonsson and Wang characterised 
may- and must-testing preorders in terms of "chains" of traces and failures, respectively, 
and in [23] they presented a "substantially improved" characterisation of their may-testing 
preorder using a notion of simulation which is weaker than C 5 (cf. Definition 14.3ft . They 
only considered processes without r-moves. In |8j we have shown that tests with internal 



CHARACTERISING TESTING PREORDERS FOR FINITE PROBABILISTIC PROCESSES 



29 



moves can distinguish more processes than tests without internal moves, even when applied 
to processes that have no internal moves themselves. 

Segala [37] defined two preorders called trace distribution precongruence (Qtd) an d 
failure distribution precongruence (^fd)- He proved that the former coincides with an 
infinitary version of Ep may (°f- Definition [67TJ) and that the latter coincides with an infinitary 
version of Ep must - In [29J it has been shown that Era coincides with a notion of simulation 
akin to C5. Other probabilistic extensions of simulation occurring in the literature are 
reviewed in [8]. 



Appendix A. Resolution-based testing 

A probabilistic automaton consists of a pLTS (S, L, — >) and a distribution A over S. Since 
we only consider probabilistic automata with L = Act r U f2, we omit it and write a prob- 
abilistic automaton simply as a triple (S, A ,^) and call A° the initial distribution of the 
automaton. The operational semantics of a pCSP^ process P can thus be viewed as a prob- 
abilistic automaton with initial distribution A° := [P]. States in a probabilistic automata 
that are not reachable from the initial distribution are generally considered irrelevant and 
can be omitted. 

A probabilistic automaton is called finite if there exists a function depth : SL)V(S) — ► N 
such that s G [A] implies depth(s) < depth(A) and s A implies depth(s) > depth(A). 
Finite probabilistic automata can be drawn as explained at the end of Section [2j 

A fully probabilistic automaton is one in which each state enables at most one action, 
and (general) probabilistic automata can be "resolved" into fully probabilistic automata by 
pruning away multiple action-choices until only single choices are left, possibly introducing 
some linear combinations in the process. We define this formally for probabilistic automata 
representing pCSP^ expressions. 

Definition A.l. [10J A resolution of a distribution A° G £>(sCSP n ) is a fully probabilistic 
automaton (R, 0°, — ►) such that there is a resolving function / : R — > sCSP^ which satisfies: 

(i) /(0°) = A 

(ii) if r 6 then f(r) /(6) 

(iii) if r -/* then f(r) 

where /(6) is the distribution defined by f(Q)(s) := YlfM=s @( r )- 

Note that resolutions of distributions A° G X>(sCSP^) are always finite. We define a function 
which yields the probability that a given fully probabilistic automaton will start with a 
particular sequence of actions. 

Definition A. 2. [10] Given a fully probabilistic automaton R = (R, A°, — the probability 
that R follows the sequence of actions a G X* from its initial distribution is given by 
PrR_(<7, A ), where Prp : S* x R — > [0, 1] is defined inductively by 

Pr R (cr, A) if r A 



Prpj,(e, r) := 1 and Prji(aa, r) :- 



otherwise 



and PrR,(cr, A) := Exp A (PrR,(<7, _)) = X^refA] ^( r ) ' P r R( c7 ) r )- Here e denotes the empty 
sequence of actions and ao the sequence starting with a G E and continuing with a G E*. 
The value Pr^u, r) is the probability that R proceeds with sequence a from state r. 
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Now let £* a be the set of finite sequences in E* that contain a exactly once, and that 
at the end. Then the probability that the fully probabilistic automaton R ever performs an 
action a is given by ^ ffgS , a Pr R (cr, A°). 

We recall the results-gathering function W given in Definition 5 of |10j . 

Definition A. 3. For a fully probabilistic automaton R, let its success tuple W(R) G [0, 1]^ 
be such that W(R)(w) is the probability that R ever performs the action uj. 

Then for a distribution A° G ^(sCSP^) we define the set of its success tuples to be 
those resulting as above from all its resolutions separately: 

W(A°) := {W(R) | R is a resolution of A°}. 

We relate these sets of tuples to Definition 16.11 in which similar sets are produced "all 
at once," that is without introducing resolutions first. In fact we will find that they are 
the same. Note that Definition 16.11 of extends smoothly to states and distributions in 
probabilistic automata. When applied to fully probabilistic automata, Y^ always yields 
singleton sets, which we will loosely identify with their unique members; thus when we 
write Vj 2 (A)(u;) with A a distribution in a fully probabilistic automaton, we actually mean 
the u-component of the unique element of Vf(A). 

Lemma A. 4. //R= {R, A ,— ►) is a finite fully probabilistic automaton, then 

(1) Y n (A) = Vp(A) for all A G V(R), and 

(2) W(R) = Y n (A°). 

Proof. (1) is immediate: since the automaton is fully probabilistic, convex closure has no 
effect. For (2) we need to show that for all u G O we have W(R)(u>) = Y n (A°)(uj), i.e. that 
Ecres*" Pr R (cx, A°) = (Y n (A°))(u). So let u G Q. We show 

Pr R (<r,A) =Y n (A)(io) and Pr R (a, r) = Y n (r)(co) (A.l) 



E 

o-gs*" o-es* 



for all A G D(R) and r G R, by simultaneous induction on the depths of A and r. 

• In the base case r has no enabled actions. Then Vi : Eo-es* 1 " P r R( cr ) r) = and Y n (r) = 0, 
so Y n (r)(uj) = 0. 

• Now suppose there is a transition r A for some action a and distribution A. There 
are two possibilities: 

— a = u>. We then have Y^(s)(uj) = 1. Now for any finite non-empty sequence a without 
any occurrence of u we have Pr R (cru;,r) = 0. Thus E CT gE*" PrR^ 7 *) = PrR^ 7 ") = 1 
as required. 

- a^uj. Since Y n (r) = a\Y n {A), we have V n (r)(w) = Y n (A)(uj). On the other hand, 
Pr R (/3<7, r) = for (3 ^ a. Therefore 

= Eas£*" Pr R(o^, r ) 

= Y n (A)(uj) by induction 
= V (r)(w) . 

• Finally, Eo-es*^ Pr R<>, A) = E CT£ s™ Exp A (Pr R (a,_)) = Exp A (^ CT6E ™ Ptr(o-,_)) 

= Exp A (V Q (_)M) = Exp A (V n (_))(u,) = V n (A)( W ). □ 
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Now we look more closely at the interaction of Vj and resolutions. 
Lemma A.5. Let A° G £>(sCSP Q ). 

(1) If(R,@ ,^) is a resolution of A° , thenYf(& ) G Yf (A ). 

(2) Ifoe Vp (A ) then there is a resolution (R, 9°, -►) o/ A° suc/i i/iai Vf (6°) = o. 

Proo/. 

(1) Let (R, 0°, — >) be a resolution of A with resolving function /. We observe that for any 
G G V(R) we have 

Vr G [6] : Vp(r) G V?(/(r)) implies Vp(0) G V^(/(6)) (A.2) 

because 

v?(©) = Er 6 rei e W-v?W 

= E^r/o)! /(©)(«) -^W 
= v?(/(e)). 

We now prove by induction on depth(r) that Vr G T : V?(r) G V?(/(r)), from which 
the required result follows in view of (|A.2p and the fact that /(©°) = A°. 

• In the base case we have r which implies /(r) Therefore, we have V? (r) = 
0GVf(/(r)). 

• Otherwise r has a transition r for some a and O. By induction we have 
Vf(r') G Vf(/(r')) for all r' G [6]. Using ([Aj| we get Wf (6) G V?(/(0)). Now 

Vf(r) = a!Vf(0) G aWf{f(Q)) C V?(/(r)) 

where the last step follows from the fact that /(r) /(©) is one of the transitions 
of/(r). 

(2) This clause is proved by induction on depth(N'). First consider the special case that 
A° is a point distribution on some state s. 

• In the base case we have s -f*. The probabilistic automaton {{s}, s, 0) is a resolution 
of A° = s with the resolving function being the identity. Clearly, this resolution 
satisfies our requirement. 

• Otherwise there is a finite, non-empty index set I such that s Aj for some actions 
a.i and distributions Aj. If o G V^A ) = V? (s), then by the definition of V? we have 
o = J2iel Pi' a i-°i with Oi G V? (Aj) and Eie/Pi = ^ or some Pi G [0) !]• By induction, 
for each i G 7 there is a resolution (Ri, 0°, — >j) of Aj with resolving function /j such 
that ¥^(0°) = Oj. Without loss of generality, we assume that Ri is disjoint from 
Rj for i ^ j, as well as from {rj | i G J}. We now construct a fully probabilistic 
automaton (R, ©°,— as follows: 

• R := {rj I % G /} U |J i6 / «i 

• 00 : = Ei 6 iPi -n 

. ^ :={ri ^ e o| iGj}uU . e/ ^.. 

This automaton is a resolution of A° = s with resolving function / defined by 

f,\_fs if T = ri for i G I 
~ I MO if r G Pi for » G I. 
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The resolution thus constructed satisfies our requirement because 

v?(e°) = v?(£i 6 /Pi-*i) 

= o . 

We now consider the general case that A° is a proper distribution with [A ] = {sj \ j G J} 
for some finite index set J. Using the reasoning in the above special case, we have 
a resolution (Rj,@j,—*j) of each distribution sj. Without loss of generality, we as- 
sume that Rj is disjoint from Rk for j ^ k. Consider the probabilistic automaton 
(UjeJ Sjej • 0j,Uj 6 j ~~ ^')- It is a resolution of A° satisfying our require- 

ment. If o G V^(A°) then o = *£ jeJ A°(s j )-o i with 0j G Vffsj)- Since o,- = V^(6°), 
wehaveo = Vf(E je jA ( Sj )-e°). " □ 

We can now give the result relied on in Section [6l 

Proposition A. 6. Let A° G £>(sCSP Q ). T/ien we Aave that W(A°) = (A ). 

Proof. Combine Lemmas IA.4I and IA.5I □ 
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